b'                 UNITED STATES DEPARTMENT OF EDUCATION\n                                      OFFICE OF INSPECTOR GENERAL\n\n                                                  Information Technology Audits and Computer Crime Investigations\n\n\n\n\nDATE:\t         July 18, 2011\n\nTO:\t           Danny Harris\n               Chief Information Officer\n\nFROM:\t         Charles E. Coe, Jr. /s/\n               Assistant Inspector General\n               Information Technology Audits and Computer Crime Investigations\n\nSUBJECT:\t      Investigative Program Advisory Report\n               Incident Response and Reporting Procedures\n               (10-110283) Control Number L21L0001\n\n\nThe O ffice of Inspector G eneral ( OIG) h as c onducted i nvestigations of pot ential c omputer\ncrimes over the past two years. D uring these investigations, OIG has identified problems with\nhow t he U .S. D epartment of E ducation ( Department) ha ndled computer s ecurity i ncidents.\nSpecifically, the Department did not detect, report, or respond to incidents in accordance with the\nDepartment\xe2\x80\x99s Handbook for Information Security Incident Response and Reporting Procedures,\nOCIO-14.\n\nTo ensure the Department\xe2\x80\x99s systems and networks are protected, OIG made one\nrecommendation:\n\n       1.\t Enforce the contract\xe2\x80\x99s requirement for Perot Systems to comply with OCIO-14 when\n           performing incident response, or develop a separate capability to perform incident\n           response in accordance with OCIO-14. The incident response capability, whether or\n           not maintained by Perot Systems, should include:\n\n               \xe2\x80\xa2\t Providing incident response personnel with the appropriate training and tools\n                  to collect and preserve evidence in a quick and forensically sound manner (in\n                  person or remotely);\n               \xe2\x80\xa2\t Analyzing information to determine the root cause of an incident and to\n                  determine the extent of damage;\n               \xe2\x80\xa2\t Implementing appropriate hardware, software, and procedures to activate full\n                  content network monitoring in a timely manner to support the incident\n                  response process and to assist in discovery of the incident\xe2\x80\x99s root cause.\nAttached is the subject Investigative Program Advisory Report (IPAR) that covers our review of\nthe Incident Response and Reporting Procedures.\n\n\n                                                 550 12th St SW, Suite 8000\n                                                  Washington, DC 20202\n\n                  The Department of Education\'s mission is to promote student achievement and preparation\n                  for global competitiveness by fostering educational excellence and ensuring equal access.\n\x0cPage 2 \xe2\x80\x93 IPAR - Incident Response and Reporting Procedures\n\n\nCorrective actions proposed (resolution phase) and implemented by your staff will be monitored\nand tracked in the Audit Accountability and Resolution Tracking System (AARTS). Department\npolicy r equires t hat you de velop a f inal c orrective a ction pl an ( CAP) f or our r eview i n t he\nautomated s ystem within 45 da ys of t he i ssuance of t his report. T he C AP s hould s et forth t he\nspecific act ion i tems, an d t argeted co mpletion d ates, n ecessary t o i mplement f inal co rrective\nactions on the findings and recommendation contained in the IPAR.\n\nIf you have any questions concerning this IPAR, please contact Special Agent in Charge, Mark\nA. Smith at (202) 245-7019.\n\nAttachment\n\x0c            UNITED STATES \n\n   DEPARTMENT OF EDUCATION \n\n    OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n  Investigative Program Advisory Report \n\n\n\nIncident Response and Reporting Procedures \n\n               (10-110283) \n\n\n        Control Number: L21L0001 \n\n\n\n               July 14, 2011 \n\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\n\n\nTable of Contents\nAcronyms/Abbreviations Used in this Report ................................................................................ 3\n\t\nIncident Response and Reporting Procedures................................................................................. 4\n\t\nA. Executive Summary .................................................................................................................. 4\n\t\nB. \tBackground ............................................................................................................................... 4\n\t\n           The EDUCATE Contract.................................................................................................... 5\n\t\nC. The Department has not Detected, Reported, or Responded Appropriately to Security\n\t\nIncidents.......................................................................................................................................... 6\n\t\n           Malware Infection of EDUCATE Systems......................................................................... 7\n\t\n           EDUCATE Connections to a Known Malicious Website .................................................. 7\n\t\nD. Conclusion ................................................................................................................................ 9\n\t\nE. Recommendations ................................................................................................................... 10\n\t\nAttachment 1 - Previous Findings................................................................................................. 11\n\t\nAttachment 2 - OCIO-14 Incident Response Life Cycle .............................................................. 12\n\t\n\n\n\n\n                                                                                                                                                   2\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\n                      Acronyms/Abbreviations Used in this Report\n\nCIO             Chief Information Officer\nCSMC            Cyber Security Management Center\nDepartment      U.S. Department of Education\nEDCIRC          U.S. Department of Education\xe2\x80\x99s Computer Incident Response Capability\nEDUCATE         Education Department Utility for Communications, Applications and Technology\n                Environment\nIT              Information Technology\nMSSP            Managed Security Services Provider\nNetBIOS         Network Basic Input/Output System\nNIST            National Institute of Standards and Technology\nOCIO            Office of the Chief Information Officer\nOCIO-14         Handbook for Information Security Incident Response and Reporting Procedures\nOCIO-IA         Office of the Chief Information Officer, Information Assurance Services\nOIG             Office of Inspector General\nSER             Suspicious Event Report\nSLA             Service Level Agreements\nUS-CERT         United States Computer Emergency Readiness Team\n\n\n\n\n                                                                                               3\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\n\n                            Investigative Program Advisory Report\n                       Incident Response and Reporting Procedures\n\nA. Executive Summary\n\nDuring Office of Inspector General (OIG) investigations of potential computer crimes over the\npast two years, OIG identified problems with how the U.S. Department of Education\n(Department) handled computer security incidents. Specifically, the Department did not detect,\nreport, or respond to incidents in accordance with the Department\xe2\x80\x99s Handbook for Information\nSecurity Incident Response and Reporting Procedures, OCIO-14, which is based on Federal\nguidelines and industry best practices.\nOIG reported these issues to the Department starting in March 2009 (Attachment 1). These\nfailures have prevented the collection of information that could aid the Department in identifying\nall compromised computers, the actions or vulnerability that enabled the incident, the objective\nof the incident, and the source. They have left the Department\xe2\x80\x99s systems and data vulnerable.\nIn this report, we articulate our concerns and make a recommendation to address these problems.\n\n\nB. Background\n\nThe Department\xe2\x80\x99s Chief Information Officer (CIO) is responsible for developing and enforcing\nthe policy and procedures for information technology (IT) security within the entire Department.\nOne aspect of IT security is the monitoring and detection of security incidents on a computer or\ncomputer network and properly responding to those incidents. OCIO-14 1 contains Department\nrequirements related to incident response and reporting procedures.\nOCIO-14 defines a computer security incident as \xe2\x80\x9ca violation or imminent threat of violation of\ncomputer security policies, acceptable use policies, or standard security practices.\xe2\x80\x9d 2 Pursuant to\nOCIO-14, Office of the Chief Information Officer (OCIO) Information Assurance Services\n(OCIO-IA) manages the Department\xe2\x80\x99s Computer Incident Response Capability (EDCIRC),\nwhich serves as the primary Department-wide contact for all incident reporting and response\nactivities. The EDCIRC coordinator is responsible for analyzing each incident and coordinating\nthe response and additional reporting activities, to include the reporting of critical incidents to\nthe United States Computer Emergency Readiness Team (US-CERT). 3\n\nUnder OCIO-14, OIG performs investigations in response to attacks against, as well as the\nunauthorized access of, Department information systems, networks, databases, and computer\ncommunication systems. OCIO-14 also states it is necessary for any incident responder to\n1\n  OCIO-14 dated June 26, 2007, was updated on March 2, 2011. Unless otherwise specified, both versions of\n\t\nOCIO-14 are substantially similar for the issues addressed in this Investigative Program Advisory Report.\n\n2\n  OCIO-14 adopted the definition of the National Institute of Standards and Technology (NIST). NIST Special\n\t\nPublication 800-61: Computer Incident and Security Handling Guide, Revision 1 (March 2008).\n\n3\n  US-CERT is the Federal Incident Management Center for the Federal Government and serves as the focal point for\n\t\ncyber-security issues in the United States.\n\t\n                                                                                                               4\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\ncoordinate his or her actions with EDCIRC prior to taking any actions that may affect the data on\na system. EDCIRC is directed to consult with OIG on appropriate actions to ensure that all\npotential evidence is preserved.\n\nThe EDUCATE Contract\n\nThe \xe2\x80\x9cEducation Department Utility for Communications, Applications, and Technology\nEnvironment\xe2\x80\x9d (EDUCATE) contract between the Department and Perot Systems established a\ncontractor-owner, contractor-operated IT service model for the Department under which the\ncontractor is required to provide the total IT platform and infrastructure to support Department\nemployees in meeting the Department\xe2\x80\x99s mission.\nEDUCATE\xe2\x80\x99s Performance Work Statement, 6.1.1.6 \xe2\x80\x93 Security & Privacy Information\nAssurance, states in pertinent part,\n        The contactor shall protect and defend information and information systems by ensuring\n        their availability, integrity, authentication, confidentiality, and non-repudiation. This\n        includes providing for restoration of information systems by incorporating protection,\n        detection, and reaction capabilities. The contractor shall provide comprehensive and all-\n        inclusive security and privacy operations for EDUCATE IT Resources and services on a\n        24/7/365 basis. The contractor shall provide all necessary IT Resources to deliver all\n        security and privacy operations herein. These services shall include all security and\n        privacy operations in accordance with all Federal authorities (laws, regulations), Federal\n        standards and guidelines, and Government and Department Policy (please refer to the\n        Constraints section).\nThe referenced Constraints section states in pertinent part,\n        The contractor\xe2\x80\x99s proposed solution shall be compliant, in all respects, with all applicable\n        federal and departmental security, acquisition, IG, and asset management laws,\n        regulations, rules, and policies. As new laws, regulations, guidance and policy is [sic]\n        promulgated, the contractor is expected to review, plan for and comply with such\n        authorities. The contractor shall comply with the following authorities included in, but\n        not limited to, Sections 8.1 through 8.8.\n        At section 8.8.8, included among listed Department of Education Policies, is the\n        \xe2\x80\x9cHandbook for Information Security Incident Response and Reporting Procedures\xe2\x80\x9d\n        (OCIO-14).\nTo clarify these security operations, the EDUCATE contract has Service Level Agreements\n(SLAs), which provide and describe the performance metrics needed to accomplish the intended\nmission. The SLAs covering Security Operations and Incident Response require the contractor\nto provide security operational services as determined by mutually agreed upon procedures, in\naccordance with US-CERT Federal Incident Reporting guidelines as defined at the time of the\nSLA\xe2\x80\x99s approval, and in accordance with the Infrastructure Solutions Security Operations Center\nStandard Operation Procedure (SOC SOP).\n\n\n                                                                                                      5\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\nIn August 2008, the Department acquired the independent services of the Cyber Security\nManagement Center (CSMC) through an interagency agreement with the U.S. Department of\nTransportation. 4 This agreement states the objective is to \xe2\x80\x9cprovide continuous monitoring and\ntesting to ensure the EDUCATE contractor(s) delivers real-time detection, assessment, response\nand remediation related to all relevant cyber incidents.\xe2\x80\x9d All incidents detected by CSMC are\nforwarded to EDCIRC. As set forth in OIG\xe2\x80\x99s Final Alert Memorandum, Implementation of the\nManaged Security Services Provider Contract, Control Number ED-OIG/L19K0011, dated\nSeptember 24, 2010, (b) (7)(E)\n\n\n\n\nTo provide additional monitoring, the Department signed an interagency agreement with US-\nCERT to monitor the EDUCATE network with the Einstein program. The Einstein program\nmonitors the network gateways of the participating agencies for unauthorized traffic. Thus, it\nprovides the Federal civilian government with a process for collecting, correlating, analyzing,\nand sharing computer security information. The Einstein program is not meant to replace an\nagency\xe2\x80\x99s own security filtering or intrusion-detection systems, but it does provide US-CERT\nwith the intelligence to see activity in various parts of the Federal networks and to alert on\nsuspicious traffic if it is identified. US-CERT sends suspicious traffic information concerning\nthe EDUCATE network to EDCIRC for additional investigation. (b) (7)(E)\n\n\n(b) (7)(E)\n\n\n\n\nC. The Department has not Detected, Reported, or Responded Appropriately to Security\nIncidents\n\nUnder OCIO-14 and applicable procedures, once a computer security incident is discovered, a\nnumber of actions are required (Attachment 2). The incident must be reported and evidence of\nthe incident must be properly collected and reviewed (the detection/identification phase); the\nincident must be stopped before it spreads or causes more damage, the actions performed must\nbe documented, and the destruction of evidence must be prevented (the containment phase); the\ncause of the incident must be identified and mitigated (the eradication phase); the affected\nsystems must be restored to an unaffected state (the recovery phase); and the data and process\nmust be reviewed to determine if there are any lessons learned (the follow-up phase). A root\ncause analysis (RCA) must be also be performed. 5\n\n\n4\n  The interagency agreement was renegotiated on August 13, 2010.\n5\n  SLA SP-1 was the primary SLA applicable to the incident response process, and prior to its March 2011 revision,\nexplicitly referenced an RCA. The current SLAs incorporate the SOC SOP which requires an RCA. OCIO-14,\ndated 03/02/2011, requires a root cause analysis to be performed as part of the final stage in the incident response\nlife cycle. The previous version of OCIO-14, dated 06/26/2007, did not specifically state a root cause analysis was\n                                                                                                                       6\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\nPrompt notifications, the initial response, and access to data pertaining to the incident are all\ncritical to ensuring that evidence is preserved, that the incident can be properly contained and\nmitigated, and that an accurate root cause analysis can be conducted. The following examples\nillustrate security incidents in Department systems that were not handled in accordance with\nOCIO-14 and applicable procedures. In particular, there were instances in the last two years\nwhen untimely notification, improper response, and lack of access to systems and data have\nresulted in the loss of potential evidence.\nMalware Infection of EDUCATE Systems\n\nIn July 2010, a suspicious event report (SER) generated by Perot Systems indicated an\nEDUCATE computer, located in Washington, D.C., was communicating to suspected hostile\nwebsites, and the communication resembled known malicious traffic. Instead of capturing and\npreserving the evidence, which includes the network traffic, the live system data, 6 or a forensic\nimage of the system, Perot Systems pulled the system off the network, thus preventing the\ncollection of additional data that would have aided in discovering the root cause of the incident.\nIf Perot Systems had coordinated with EDCIRC, EDCIRC could have either collected the live\ndata itself or contacted OIG to collect the data. A subsequent OIG review of the system\ndetermined the system was infected with malware, but OIG was unable to continue its\ninvestigation. OIG did not have enough data to determine the source or purpose of the infection,\nbecause Perot had unintentionally manipulated the data as a result of its failure to properly\nimplement evidence collection procedures.\nSimilarly, a month later, a scheduled antivirus scan discovered malware on a different\nEDUCATE computer located in Washington, D.C. Again, instead of preserving the evidence,\nPerot Systems removed the system from the network and powered off the computer. As a result\nof Perot Systems\xe2\x80\x99 improper remediation, OIG was unable to obtain any live system data or an\nimage of the system for analysis. Subsequent analysis determined the malware caused the\ncomputer to conduct unauthorized network scanning of the EDUCATE network. This malware\ntechnique is used to gather intelligence about the network and then to use that knowledge to\nsuccessfully carry out additional attacks. Because Perot Systems did not respond properly to this\nincident, data was lost, and OIG was unable to determine the source and purpose of the scanning\nand how the system was initially infected.\nEDUCATE Connections to a Known Malicious Website\n\nOne of the more serious recent incidents of improper response occurred on an internal system in\nthe EDUCATE infrastructure located in the Plano Technology Center, (b) (7)(E)\n        . On July 6, 2010, EDCIRC and OIG received a SER from CSMC stating a computer\n\n\n\nrequired, but it did require the incident to be documented and that the lessons learned from the incident be discussed\nand reviewed.\n6\n  Live system data is collected while the system is running and includes volatile and nonvolatile data. Volatile data\nincludes system random access memory and running processes. Nonvolatile data includes system data such as\nregistry settings and local log files.\n                                                                                                                      7\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\nwas making numerous attempts to connect to a known malicious overseas Internet Protocol\naddress through the Network Basic Input/Output System (NetBIOS) protocol stack. 7\nUpon notification of the incident, OIG requested, through EDCIRC, to have the live data on the\nsystem preserved. Perot Systems looked at the previous month\xe2\x80\x99s firewall logs and discovered\nthe suspicious activity was on-going throughout the previous month. Instead of preserving the\nevidence, Perot Systems conducted a full system anti-virus scan. 8 Perot Systems contacted the\nvendor of the system\xe2\x80\x99s main application and learned the NetBIOS protocol stack was not\nrequired for the application to operate. Perot Systems then deactivated the NetBIOS protocol\nstack, and as a result, the observed traffic stopped.\nOn July 8, 2010, after OIG was notified of Perot Systems\xe2\x80\x99 actions, it requested a forensic image\nof the system and, if that was not immediately possible, OIG reiterated its request for the\nsystem\xe2\x80\x99s live data. OIG suggested the use of its Live Response Program to collect this data since\nthere were Perot Systems technicians who were trained in its use. 9 Five days after this request,\nEDCIRC informed OIG that Perot Systems refused to run the program. Ultimately, OIG\ncontacted the Department\xe2\x80\x99s CIO for assistance, and the CIO ordered Perot Systems to allow OIG\nto run the tool and collect the data. The live data was collected from the system by an OIG\nemployee on July 14, 2010.\nAs required by its contract, Perot Systems provided a root cause analysis to OCIO-IA on August\n5, 2010, but it was rejected by OCIO-IA, because it did not identify the root cause and contained\ninaccurate statements. To date, OCIO-IA has not received another root cause analysis on this\nincident.\nOn August 9, 2010, OIG made another request for a forensic image of the system and requested\nthe backups of the system as it existed before the incident, but it learned Perot Systems had not\nmade backups of this system. On September 2, 2010, Perot Systems shipped a logical copy of\nthe system to OIG (Perot Systems told OIG that it could not shut the system down; therefore,\nonly a logical copy, as opposed to a forensic image, could be provided). Given that a logical\ncopy provides only a limited amount of data, OIG was unable to examine crucial areas of the\nsystem. 10\n\n\n7\n  NetBIOS allows applications on different computers to communicate within a local area network.\n8\n  The scan detected no malware. However, many malware in circulation today will drop additional malware or\nutilities onto a system. Depending on the release date of the malware it may not be immediately identifiable by the\nanti-virus software. The majority of anti-virus vendors have a lag time from the time of an infection to the release of\na patch to remove the malware.\n9 (b) (7)(E)\n                                                                                                             OIG\ndeveloped a program to assist the responding technicians in the collection of the necessary data, OIG\xe2\x80\x99s Live\nResponse Program. This program is a series of scripts and programs built for the purpose of acquiring system\nevidence in a consistent and simple manner. Initially, Perot Systems agreed to use the program, but it later declined\nwhen OIG attempted to schedule training for Help Desk personnel, indicating it would take too much time to run.\nThe program takes approximately 15 minutes to run.\n10\n   A logical copy of a system provides only a partial view of the entire system. It does not capture critical files that\nare in use by the operating system, nor does it collect deleted files, file slack, and free space. Critical evidence is\noften located and available for examination only within a forensic image of a hard drive.\n\n                                                                                                                       8\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\nAfter it reviewed the logical copy, OIG asked to speak with the Perot Systems technicians who\nworked on this incident. Perot Systems, through EDCIRC, informed OIG that it would not be\nallowed to talk directly to the Perot Systems\xe2\x80\x99 technicians, and it would need to submit questions\nto Perot Systems\xe2\x80\x99 managers who would get the answers and provide them to OIG. Ultimately,\nOIG was able to interview the technicians after several days of coordinating with a Perot\nSystems\xe2\x80\x99 attorney.\nOn October 8, 2010, OIG asked EDCIRC to capture the current network traffic of the system.\n(b) (7)(E)\n\n\n\n\n                                                                       erot Systems stated it\nwould start the network capture anyway and allow it to run for a 24-hour period. Two days later,\nOIG was informed no data was captured because the official request was never entered into the\nincident tracking system. (b) (7)(E)\n\n\n\n\nAt every critical juncture, Perot Systems or OCIO failed to properly respond to the NetBIOS\nincident. Although Perot Systems\xe2\x80\x99 initial actions may have contained the incident, Perot\nSystems destroyed potential evidence by running a full system anti-virus scan and then shutting\noff the NetBIOS protocol stack. (b) (7)(E)\n                              Perot Systems or OCIO forced OIG to step in to undertake these\nactivities. By its delays in then allowing OIG to retrieve the live data, as well as by its failure to\nprovide a forensic image and its impeding of \xe2\x80\x93 albeit temporarily \xe2\x80\x93 OIG\xe2\x80\x99s access to Perot System\ntechnicians, Perot Systems also hampered evidence collection.\n(b) (7)(E)\n\n\n\n\nD. Conclusion\n\nThe Department and its contractor Perot Systems have not properly responded to computer\nsecurity incidents in accordance with OCIO-14 and Perot Systems\xe2\x80\x99 contract. Perot Systems\xe2\x80\x99\npreferred method for dealing with many of the reported incidents seems to be to remove the\ninfected system from the network and attempt to clean the system by running a virus scan, before\nthere is any attempt to collect the potential evidence. Not only does this practice violate the\ncontainment procedures set forth in OCIO-14, but it also hampers the investigative processes that\nis part of the detection/identification phase, and can destroy the potential of determining the root\n                                                                                                     9\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\ncause that is part of the eradication phase of OCIO-14. In addition, Perot Systems was unable to\n(b) (7)(E)                 was slow to provide requested data and access to Perot Systems\xe2\x80\x99\nemployees, and has not completed root cause analyses that identified the root cause of these\nincidents.\nBecause Perot Systems has ignored the initial stages of the incident response life cycle and\nproceeded directly to the recovery phase, the Department has been unable to discover what it did\nnot know about the incident, including the source of the problem and the various systems that\nmight be impacted. The Department is unable then to determine if there are any lessons to be\nlearned from the incident as is required in the follow-up phase of OCIO-14. This could leave the\nDepartment\xe2\x80\x99s data and systems vulnerable.\n\n\nE. Recommendations\n\nTo ensure the Department\xe2\x80\x99s systems and networks are protected, OIG recommends the Chief\nInformation Officer to:\n    Enforce the contract\xe2\x80\x99s requirement for Perot Systems to comply with OCIO-14 when\n    performing incident response, or develop a separate capability to perform incident response\n    in accordance with OCIO-14. The incident response capability, whether or not maintained\n    by Perot Systems, should include:\n             Providing incident response personnel with the appropriate training and tools to\n             collect and preserve evidence in a quick and forensically sound manner (in person or\n             remotely);\n             Analyzing information to determine the root cause of an incident and to determine the\n             extent of damage;\n             Implementing appropriate hardware, software, and procedures to activate full content\n             network monitoring in a timely manner to support the incident response process and\n             to assist in discovery of the incident\xe2\x80\x99s root cause.\n\n\n\n\n                                                                                                  10\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\n\n\n                             Attachment 1 - Previous Findings\n\n\nOver the last two years, OIG identified, reported, and made recommendations to the Department\non the following weaknesses within incident response and reporting, based on OCIO-14\nrequirements:\nMemorandum, OIG Information Technology Security Concerns, dated March 11, 2009.\n\n                \xe2\x80\xa2   Department systems made frequent outbound connections to foreign sites\n                    known to contain malware.\n                \xe2\x80\xa2   CSMC alerts increased as a result of improved coverage and tuning. CSMC\n                    started to generate repeat findings because the Department failed to identify\n                    the computer responsible for the suspicious activity in prior alerts.\n                \xe2\x80\xa2   Since January 2009, there were approximately 60 virus or malware detections\n                    on Department computers per week.\n                \xe2\x80\xa2   There was an increase in keylogger data incidents as reported by US-CERT.\nEmail to the OCIO-Information Assurance: Urgent IT Security Issue, dated June 8, 2010.\n            Based on a review of network traffic, OIG identified potentially compromised\n            systems, as well as numerous Department computers, which were communicating\n            with hostile Internet sites that had not yet been identified by the Department as\n            suspicious.\nInvestigative Program Advisory Report, Bypassing of Web Content Filtering, Control Number\nL21K0001, dated July 20, 2010.\n            Users throughout the Department were circumventing web filtering by adding an \xe2\x80\x9cs\xe2\x80\x9d\n            to the \xe2\x80\x9chttp\xe2\x80\x9d before a uniform record locator in their browsers. The https traffic went\n            undetected under the current configurations of the web filtering program.\n\n           (b) (7)(E)\n\nFinal Alert Memorandum, Implementation of the Managed Security Services Provider Contract,\nControl Number ED-OIG/L19K0011, dated September 24, 2010.\n            The Department had not effectively implemented its managed security services\n            provider (MSSP) contract with CSMC. The memorandum discussed (b) (7)(E)\n\n\n\n\n                                                                                                 11\n\x0cIPAR: Incident Response and Reporting Procedures - L21L0001\n\n\n\n               Attachment 2 - OCIO-14 Incident Response Life Cycle\n\n\nSummarized below are six stages of the incident response life cycle, as found in OCIO-14, which\nadopted from NIST Special Publication 800-61, Revision 1:\n            Preparation: The initial phase consists of the development of policy and procedures\n            and the identification and implementation of other components required for the\n            response.\n\n            Detection/Identification: This phase involves the collection and review of the\n            evidence of an intrusion.\n\n            Containment: This phase includes the stopping of an incident before it spreads or\n            causes more damage, while also documenting the actions performed, performing two\n            disk images of the system and the gathering, and reviewing the network, system and\n            application logs.\n\n            Eradication: The identification and mitigation of the cause of the incident is the\n            purpose of this phase.\n\n            Recovery: The restoration of affected systems to an unaffected state and their\n            validation in terms of functionality and security are the components of this phase.\n\n            Follow-up: The final part of the incident response process involves the review of\n            data, in an effort to determine if there are any lessons to be learned from an incident.\n\n\n\n\n                                                                                                   12\n\x0c                        UNITED STATES DEPARTMENT OF EDUCATION\n\n                                 DFFlCE OF TIiE ClllEF INr-oRMAT\'Ol\'l OFFICER\n\n\n\n\n                                                     June 24, 2011\n\nMEMORANDUM\n\n\nTO:          Charles E. Coe, Jr.\n             Assistant Inspector General        /111\\\nFROM:         Danny A. Harris, PhD .          H"V--\xef\xbf\xbd---\xc2\xad\n              Chief lnfonnation Officer\n              Office of the Chief lnfonnation Officer\n\n\n\nSUBJECT: Investigative Program Advisory Report (lPAR)\n               ControINo.L2ILOOOI\n\n\nThank you for the opportunity to respond to the Office of Inspector General\'s (OIG)\n[nvestigalive Program Advisory Report (lPAR), coIncident Response and Reporting Procedures"\n(Case # 10-110283) Control No. L21LOOOI. OIG conducted                            an   investigation over the past two\nyears starting in 2009 that revealed instances in which the Department did not detect, report, or\nrespond to incidents in accordance with the Department\'s Handbook/or Information Security\nIncident Response and Reporting Procedures, OCIO-14. The report provides recommendations\nthat the Chief lnfonnation Officer (CIO) take one action to improve incident response\nthroughout the agency. Below is the Department\'s proposed response to your recommendation\nbased upon the draft report:\n\n\n\nRecommendation 1. Enforce the contract\'s requirement for Perot Systems to comply with\nOCIO-14 when performing incident response, or develop a separate capability to perform\nincident response in accordance with OCI0-14. The incident response capability, whether or not\nmaintained by Perot Systems, should include:\n\n\n      \xe2\x80\xa2   Providing incident response personnel with the appropriate training and tools to collect\n          and preserve evidence in a quick and forensically sound manner (in person or remotely);\n\n\n      \xe2\x80\xa2   Analyzing information to detennine the root cause of                    an   incident and to determine the\n          extent of damage;\n\n      \xe2\x80\xa2   Implementing appropriate hardware, software, and procedures to activate full content\n          network monitoring in a timely manne:r to support the incident response process and to\n          assist in discovery of the incident\'s root cause.\n\n\n                               400 MARYlAND AVE.. S.W        \xe2\x80\xa2.   Wf\\SmN(;TO\xef\xbf\xbd. IX: Zll.Wl4580\n                                                           WW\\\\,ed.g()\\\n\n      Our mission IS 10 en)ure equal.acc\xef\xbf\xbd   10 education   and to promOle edur,ulon.:al \xef\xbf\xbdt\'Henrt uHClughout lhe DatKJn\n\x0cWhile we agree with this recommendation, we would like to state that the Office of the Chief\nlnforrnation Officer (OCIO) has been exercising due diligence in steadily improving the\nDepartment\'s Incident Response program. More specifically OCIO lAS has initiated andlor\ncompleted the following activities to ensure the Department and its contractor, Dell Systems\n(fonnerly known as "Perot Systems"), properly responds to computer security incidents in\naccordance with the Department\'s Handbook/or In/ormation Security Incident Response and\nReponing Procedures, aCIO-14:\n\n\n   \xe2\x80\xa2    aCIa lAS has recently hired a GS-IS Cyber Security Director to oversee the operational\n        protection and defense of the Department\'s information and information systems. The\n        U.S. Department of Education\'s Computer Incident Response Capability (EDClRC) was\n        given two additional staffing allocations from within lAS to include a certified computer\n        forensic analyst.\n   \xe2\x80\xa2    All EDClRC personnel have anended specialized training        in   Incident Handling and\n        Response andlor forensic analysis within 2011.\n   \xe2\x80\xa2    aCla lAS has strengthened the EDCIRC relationship with Cyber Security Management\n        Center (CSMC), the Department\'s Federal Managed System Security Provider and built\n        enhanced analysis capabilities to include analysis of advanced persistent threat activity.\n        Furthermore, OCIO is working with CSMC to expand visibility of all Department\n        networks (to include FSA and American Data Technology Incorporated-ADTI) by\n        installing Network Intrusion Detection Systems (NIDS) on the inside of the firewalls\n        within the networks. Additionally, both the EDClRC and CSMC            are   leveraging and\n        utilizing Einstein capabilities to conduct inbound and outbound traffic analysis.\n   \xe2\x80\xa2    aCIa is leveraging the IA Enhancement funding, authorized by the Secretary, to develop\n        an automated Enterprise-wide Continuous Monitoring program that enables the EDCIRC\n        to have near-real time situation awareness of system configurations, vulnerabilities,\n        automated change detection, and automated patch management. Additionally, the\n        EDCIRC has purchased forensic analysis tools which will assist with discovering any\n        root cause analysis for intrusions when they occur.\n    \xe2\x80\xa2   OelO is leveraging the IA Discovery Project, supported and endorsed by the Secretary,\n        to identify all assets on the Education Department Utility for Communications,\n        Applications and Technology Environment (EDUCATE) and the FSA Virtual Data\n        Center (VDC) networks, identify and remediate associated vulnerabilities, and to\n        establish recommendations and a roadmap to incorporate solutions to address identified\n        systemic issues. This effort kicked-off in January 2011 and is nearing completion.\n        Through this endeavor several critical vulnerabilities have already been identified and\n        remediated.\n    \xe2\x80\xa2   OCIO has also established new Security Service Level Agreements with Dell Systems in\n        March 2011 to address identified weaknesses    in   the government\'s ability to track security\n        issues. The Chief Information Security Officer (CISO) is continuing to review and\n        analyze security requirements within the Dell Systems contract and how those\n        requirements are being enforced.\n    \xe2\x80\xa2   OCIO lAS has initiated an enterprise approach to information security working closely\n        with Federal Student Aid (FSA), Institute of Education Sciences (lES), and other data\n\x0c       centers to consolidate and standardize capabilities, standardize processes, improve\n       response times, and achieve cost efficiencies through economies of sca1e.\n   \xe2\x80\xa2   ocrO-14, Handbook for Information Security Incident Handling and Reporting\n       Procedures has been updated, staffed, and published in March 20 II.\n\n\nIn summary, the OCIO acknowledges that the capabilities, processes, and procedures that have\nbeen or are being put into place are still nascent but feel that the Cyber Security Incident\nResponse capability within the Department is being built on a strong foundation and has a solid\ntrajectory for enhanced capability. The ocro and the EDCIRC will continue to work with FSA,\nDell Systems, and the DIG to synchronize and enhance our business processes to ensure the\nprotection and defense of the Department of Education\'s infonnation and information systems.\n\n\nThank you again for the opportunity to comment on this report. If you have any questions,\nplease contact me at (202) 245-6252 or Danny.Harris@ed.gov.\n\x0c'